Rustock botnet downed by Microsoft

As many security companies and experts noted in the last few days, the activities of the Rustock botnet came to a standstill.

They speculated about the reason behind this sudden drop, but it was revealed only yesterday: after receiving permission from the US District Court for the Western District of Washington, Microsoft has mounted a coordinated action with the US Marshals Service and executed a number of online and offline actions that resulted in Rustock’s takedown.

“Like the Waledac takedown, this action relied on legal and technical measures to sever the connection between the command and control structure of the botnet and the malware-infected computers operating under its control to stop the ongoing harm caused by the Rustock botnet,” explained Richard Boscovich, Senior Attorney with the Microsoft Digital Crimes Unit.

What allowed Microsoft to file a suit against the anonymous operators of the Rustock botnet is the fact that its trademarks were abused in the spam sent by the botnet. “However, Rustock’s infrastructure was much more complicated than Waledac’s, relying on hard-coded Internet Protocol addresses rather than domain names and peer-to peer command and control servers to control the botnet,” said Boscovich.

In order to prevent a quick shift of infrastructure, the court allowed them to receive help from the US Marshals Service and physically capture evidence onsite and confiscate the affected servers from hosting providers for analysis.

“Specifically, servers were seized from five hosting providers operating in seven cities in the U.S., including Kansas City, Scranton, Denver, Dallas, Chicago, Seattle, Columbus and, with help from the upstream providers, we successfully severed the IP addresses that controlled the botnet, cutting off communication and disabling it,” reveals Boscovich. “Microsoft also worked with the Dutch High Tech Crime Unit within the Netherlands Police Agency to help dismantle part of the command structure for the botnet operating outside of the United States. Additionally, Microsoft worked with CN-CERT in blocking the registration of domains in China that Rustock could have used for future command and control servers.”

Bots – the infected computers – are still there, but they are now cut of from their herder(s). According to Microsoft’s investigation, the number of computers infected with Rustock malware reaches 1 million, and now is the time to start working with ISPs and CERTs around the world and coordinate efforts for notifying the owners of the infected machines and share knowledge about how to clean them up.

“We will continue to invest similar operations in the future as well in our mission to annihilate botnets and make the Internet a safer place for everyone,” states Boscovich. “However, no single company or group can accomplish this lofty goal alone. It requires collaboration between industry, academic researchers, law enforcement agencies and governments worldwide.”